Member Avatar for raa4

I've done what you said to do on this thread but i also scanned with spydoctor and the trojans still there, Here's my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 20:07:27, on 22/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Documents and Settings\Ruth Ankrah\My Documents\Computer Programs\hijackthis\HijackThis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Member Avatar for dlh6213

Can you tell us where Spyware Doctor says the trojan is located?

Member Avatar for DMR

Can you tell us where Spyware Doctor says the trojan is located?

Yes, do that if you can please. Your latest log looks clean, but HijackThis isn't designed to detect all types of infections, so you may still have something lurking in your system.

Also install the latest updates for your AVG anti-virus program and run a full scan with that. If AVG finds infections, give us the info on that from AVG's scan report.

Member Avatar for raa4

AVG also finds the infections but it wouldn't delete nor heal it as in evertime i put in in quarantine and tunn off my computer, when i switched it off then it would detect that i have the virus again.

spyware doctor says:
INFECTION LOCATION
trojan.hacktool.rootkit multiple
trojan.hacktool.rootkit HKLM\SYSTEM\ControlSet001\Services\msdirectx
trojan.hacktool.rootkit HKLM\SYSTEM\ControlSet001\Services\msdirectx\Security
trojan.hacktool.rootkit HKLM\SYSTEM\ControlSet002\Services\msdirectx
trojan.hacktool.rootkit HKLM\SYSTEM\ControlSet002\Services\msdirectx\Security
trojan.hacktool.rootkit HKLM\SYSTEM\CurrentControlSet\Services\msdirectx
trojan.hacktool.rootkit HKLM\SYSTEM\CurrentControlSet\Services\msdirectx\security
and it says:
A worm/trojan which is installed onto the user's P.C unknowingly through a unsecured SQL server TCP port 1433

AVG says: Path
Trojan horse Collected.5.L C:\Documents and Settings\Ruth Ankrah\msdirectx.sys

I have located that folder but everytime i delete it it re-installs when i turn on my computer.

Member Avatar for DMR

1. Turn off System Restore; instructions and explanation are here.

2. Follow the trojan removal instructions given in this Microsoft article:

http://support.microsoft.com/?scid=kb;en-us;897079

3. Run the AVG and Spyware Doctor scans again. If they no longer detect the trojan, re-enable System Restore. If they still detect the trojan, let us know.

Member Avatar for raa4

I did what the instructions asked and ran spy doctor and it didn't detect anything and AVG also.

I followed instructions like those before (turning off system restore in normal mode and then deleting the files from the registery using regedit) but when you open safe mode it asks you to decide whther you want system restore to runor not even though you turned it off in normal mode, which i accidentally ticked yes (like a fool) anyway,:cheesy:

Thank you soooooooooooo much!
You guy's are stars!!!!

Member Avatar for DMR

Glad we could help you get it sorted :)

Member Avatar for stretch85

Hi, I've been having the same problem with that virus, and I followed your directions, and the virus is still there. It's a persistant little thing. Here are the stats on it:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Hacktool.Rootkit
File: C:\Documents and Settings\Jeff\msdirectx.sys
Location: Quarantine
Computer: HOME
User: Jeff
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Fri Jun 24 19:05:38 2005

I guess I'll try microsoft's 'automatic' way of ridding of it next; but if you have any more idea's, I sure would like to hear them.

Member Avatar for DMR

Hi stretch85 ,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

If you would like us to help you with your particular problem, please start your own thread in this forum and we'll take it from there. In your post, please include as much information as possible about the infection and what you've done so far to try to remove it.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules


Thanks for understanding.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.